The npm package cookie provides robust HTTP server cookie parsing and serialization functionalities, essential for managing user sessions and storing preferences in web applications. Comparing versions 0.4.1 and 0.4.2 reveals key updates beneficial for developers. Version 0.4.2, released in February 2022, showcases significant upgrades in its development dependencies. Notably, the eslint version jumps from 6.8.0 to 7.32.0, ensuring stricter code linting and adherence to modern JavaScript standards, potentially improving code quality and reducing errors. mocha, a popular testing framework, is updated from version 7.1.1 to 9.2.0, bringing enhanced testing capabilities and support for newer JavaScript features, allowing for more comprehensive and reliable testing. Furthermore, the inclusion of eslint-plugin-markdown version 2.2.1 for linting markdown files in version 0.4.2, compared to version 1.0.2 in version 0.4.1, suggests improved documentation practices and consistency. The increased unpacked size, 19721 bytes in 0.4.2 versus 18123 bytes in 0.4.1, likely reflects these dependency updates and potentially minor code enhancements. While the core functionality remains the same these updates improve developer experience with modern tooling.
All the vulnerabilities related to the version 0.4.2 of the package
cookie accepts cookie name, path, and domain with out of bounds characters
The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.
A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.
Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.
